Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAC agent SSO with Anyconnect Issue

I want to preface this by saying that i am very green when it comes to NAC. we had an implementation done for my organization by a 3rd party vendor with no training and I don't have a good working knowledge of the system at all.

my immediate problem is with the SSO of the NAC client. SSO works fine if a user engages our Anyconnect VPN connections by opening the already installed Anyconnect client and logging in as usual. the NAC agent pops up a few moments later and you're in.

but when a user uses the browser to log in to the SSL portal and then get the Anyconnect pushed down to them, once the connection is made the NAC agent pops up a Login screen instead of just going thru as it does for the other scenario.

i've had a look at my Mapping Rules for the cisco VPN and it appears we're mapping role based on IP address. Expressions like (0,8 contains 10.56.80) etc. and as stated above, these seem to work fine when you launch Anyconnect standalone but not when Anyconnect is launched by the web browser login prodcedure.

Any ideas or places i should be looking?

Thanks in advance,

Ben Posner

Everyone's tags (3)
New Member

NAC agent SSO with Anyconnect Issue


debug radius on the ASA to ensure that both login scenarios are sending hte same data to the NAC. they are NOT. the debug radius output from the working anyconnect scenario (stand alone launch) shows three extra lines that the debug from the non-working scenario (web launched) that are missing:

Radius: Type = 8 (0x08) Framed-IP-Address
Radius: Length = 6 (0x06)
Radius: Value (IP Address) = (0x0A38510B)

since i'm using the framed-ip-address as part of they nac profile identification i'd say that this is WHY the nac isn't working right in the web launched scenario but i don't know why the ASA isn't sending this info to the NAC...

New Member

NAC agent SSO with Anyconnect Issue


I also had this issue. I enabled 'interim-accounting update' in the RADIUS server properties:

aaa-server NACSERVER protocol radius


This resolved it for me.